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STATEMENT OF THE CASE 

Appellants appeal under 35 U.S.C. § 134(a) from a final rejection of 
claims 1-6 and 9-14. Claims 7 and 8 are canceled. We have jurisdiction 
under 35 U.S.C. § 6(b). 

We AFFIRM-IN-PART. 



According to Appellants, the invention relates "to defending against 
attacks to networks by malicious users who attempt to disable a server by 
flooding the server with connectionless datagrams" (Spec. 1:7-10). 



Claim 1 is illustrative: 

1 . A method of preventing a flooding attack on a 
network server in which a large number of connectionless 
datagrams are received for queuing to a port on the network 
server, comprising: 

determining, in response to the arrival of a connectionless 
datagram from a host for a port on the network server, if the 
number of connectionless datagrams already queued to the port 
from the host exceeds a prescribed threshold; 

discarding the datagram, if the number of connectionless 
datagram already queued to the port from the host exceeds the 
prescribed threshold; and 

queuing the connectionless datagram to a queue slot of 
the port, if the number of connectionless datagram already 
queued to the port from the host does not exceed the prescribed 
threshold. 
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Rejections 

Claims 1, 3, 5, and 14 stand rejected under 35 U.S.C. § 102(e) as 
being anticipated by Schuba (US 6,725,378 Bl, Apr. 20, 2004). 

Claims 2, 4, 6, and 9-13 stand rejected under 35 U.S.C. § 103(a) as 
being unpatentable over Schuba and Yavatkar (US 6,735,702 Bl, May 11, 
2004). 

GROUPING OF CLAIMS 

(1) Appellants argue claims 1, 3, 5, and 14 as a group on the basis of 
claim 1 (App. Br. 9). We select independent claim 1 as the representative 
claim. We will, therefore, treat claims 3, 5, and 14 as standing or falling 
with representative claim 1. 

(2) Appellants argue claims 2, 4, and 6 as a group on the basis of 
claim 2 (App. Br. 19). We select dependent claim 2 as the representative 
claim. We will, therefore, treat claims 4 and 6 as standing or falling with 
representative claim 2. 

(3) Appellants argue claims 9 and 12 as a group on the basis of claim 

9 (App. Br. 26). We select dependent claim 9 as the representative claim. 
We will, therefore, treat claim 12 as standing or falling with representative 
claim 9. 

(4) Appellants argue claims 10 and 13 as a group on the basis of claim 

10 (App. Br. 31). We select dependent claim 10 as the representative claim. 
We will, therefore, treat claim 13 as standing or falling with representative 
claim 10. 

(5) Appellants separately argue claim 11. (App. Br. 34-35). 
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See 37 C.F.R. § 41.37(c)(l)(vii). See also In re Young, 927 F.2d 588, 
590 (Fed. Cir. 1991). 

FINDINGS OF FACT (FF) 
Schuba Reference 

la. "SYN flooding arises when an attacker sends many 
Transmission Control Protocol (TCP) connection requests, each initiated 
with a 'SYNchronize' (also called SYN) packet, to a victim's machine" (col. 
1, 11. 34-37). "The preferred embodiments of the present invention include 
an active monitor that performs a process to reduce service degradation 
caused by SYN flooding" (Schuba, col. 3, 11. 6-8). 

lb. Schuba discloses that "[t]here is a limit on the number of 
concurrent TCP connections that can be in a half-open connection state, 
called the SYN-RECVD state (i.e., SYN received). When the maximum 
number of half-open connections per port is reached, TCP discards all new 
incoming connection requests until it has either cleared or completed some 
of the half-open connections." (Schuba, col. 4, 11. 52-60). 

lc. Schuba discloses that "an ACK packet is sent for suspect source 
addresses to free resources of the destination hosts 54 by removing 
connections from a half-open backlog queue" (Schuba, col. 11, 11. 19-21). 

Yavatkar Reference 
2a. Yavatkar discloses "[p]roactive environment 100 configures 
service object 300 . . . ." "For example, one set of permissioning may allow 
agent 110 to use service object 300 to . . . alter settings for the port 
(Yavatkar, col. 12, 11. 29-33). 
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2b. Yavatkar discloses that "[t]he system and method ... of the 
present invention uses agents-mobile software modules - to collect data on 
the state of a network during a network attack" and (2) "[w]hen used herein, 
an agent is a software module having the capability to move from node to 
node on a network and to execute on the nodes to which it moves." 
(Yavatkar, col. 3, 11. 25-40). 

PRINCIPLES OF LAW 
In rejecting claims under 35 U.S.C. § 102, "[a] single prior art 
reference that discloses, either expressly or inherently, each limitation of a 
claim invalidates that claim by anticipation." Perricone v. Medicis Pharm. 
Corp., 432 F.3d 1368, 1375 (Fed. Cir. 2005) (citing Minn. Mining & Mfg. 
Co. v. Johnson & Johnson Orthopaedics, Inc., 976 F.2d 1559, 1565 (Fed. 
Cir. 1992)). 

In rejecting claims under 35 U.S.C. § 103, it is incumbent upon the 
Examiner to establish a factual basis to support the legal conclusion of 
obviousness. See In re Fine, 837 F.2d 1071, 1073 (Fed. Cir. 1988). If the 
Examiner's burden is met, the burden then shifts to the Appellants to 
overcome the prima facie case with argument and/or evidence. Obviousness 
is then determined on the basis of the evidence as a whole and the relative 
persuasiveness of the arguments. See In re Oetiker, 977 F.2d 1443, 1445 
(Fed. Cir. 1992). 
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ANALYSIS 

Claims 1, 3, 5, and 14 
Issue 1 : Did the Examiner err in finding that Schuba teaches 
(1) determining a number of connectionless datagrams already queued at a 
port; (2) discarding connectionless datagrams at a port; and (3) queuing 
connectionless datagrams at a port? 

Appellants argue their invention is not anticipated by Schuba because 
"Schuba does not teach anything regarding determining the number of 
connectionless datagrams queued at a port or discarding or queuing the 
number of connectionless datagrams at a port" (App. Br. 14). Appellants 
contend Schuba, instead, "teaches determining the number of half-open 
connections at a port," and "[t]he two features are entirely distinct" 
(Id.). 

The Examiner finds that "[h]alf-open connections are a queue of 
connectionless datagrams" (Ans. 8). The Examiner further finds "a 
connectionless datagram is equivalent to the half-open connection because it 
consists of an [] IP datagram which is by definition connectionless []." (Ans. 
9). We agree with the Examiner. 

In essence, Appellants argue that Schuba' s half-open connection state 
is not the same as the claimed "connectionless datagrams already queued to 
the port from a host." We disagree. In general, the broadest reasonable 
interpretation of a connectionless communication is a communication 
without prior arrangement. Here, we find that Schuba' s SYN packets (i.e., 
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communication requests) can reasonably be seen as connectionless 
datagrams. 

For example, Schuba monitors the number of SYN packets flooding 
to a victim' s machine, as TCP connection requests are initiated with a SYN 
packet (FF la). The Examiner interprets the SYN-RECVD state as a 
connectionless datagram (Ans. 8), because a connection has not yet been 
established (i.e., connection requests). We agree. 

In Schuba, when the maximum number of half- open connections per 
port is reached, all further incoming connection requests are discarded until 
the number of half-open connections are cleared (FF lb). Schuba further 
discloses a half-open backlog queue (FF lc). Thus, we find that Schuba 
discloses determining the number of connectionless datagrams already 
queued at a port, discarding the datagrams if a maximum number is reached, 
and queuing the half-open connections if not. 

The Examiner finds "[c]ounting and limiting the half-open 
connections is the same as determining if the connectionless datagram 
exceeds a prescribed threshold, [where] the limit is the 'prescribed 
threshold.'" (Ans. 9). We agree. 

Thus, Appellants have not persuaded us of error in the Examiner's 
conclusion of anticipation for representative claim 1 . Therefore, we affirm 
the Examiner's § 102 rejection of independent claim 1 and of claims 3, 5, 
and 14, which fall therewith. 
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Claims 2, 4, and 6 
Issue 2: Did the Examiner err in finding that the prior art teaches or 
suggests "calculating the prescribed threshold by multiplying a percentage 
by the number of available queue slots for the port," as recited in claim 2? 

Appellants contend "Yavatkar nowhere teaches or suggests that 
calculating the average queue length uses a percentage operand in a 
multiplication operation" (App. Br. 21) (emphasis omitted). Further, 
Appellants contend "the cited portion nowhere mentions the word 
'percentage,' let alone teach or suggest using a percentage as an operand in a 
multiplication operation." (App. Br. 21). We agree. 

Although the Examiner cites column 15, line 63 through column 16, 
line 17, of Yavatkar, for disclosing the argued limitation of claim 2 (Ans. 
13), based on our review of the cited portions, we do not readily find any 
reference to threshold being calculated based upon a multiplication operation 
of a percentage of available queue slots. Instead, Yavatkar merely monitors 
a discard count and how full the buffer is. (Yavatkar, col. 16, 11. 8-16.) 

Accordingly, we find the Examiner has erred in finding that the prior 
art teaches or suggests "calculating the prescribed threshold by multiplying a 
percentage by the number of available queue slots for the port," as recited in 
claim 2. Accordingly, we reverse the Examiner's rejection of claim 2, and 
claims 4, and 6 which stand therewith. 
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Claims 9 and 12 

Issue 3: Did the Examiner err in finding that the prior art teaches or 
suggests "configuring a maximum number of connectionless datagrams to be 
queued at the port," as recited in claim 9? 

Appellants argue that the cited art does not disclose any thresholds 
levels, such as maximum or minimum and does not relate to any queuing 
operations (App. Br. 28). We disagree. 

The Examiner cites column 12, lines 27-39 of Yavatkar, for disclosing 
altering settings for a port (Ans. 15; FF 2a). Furthermore, Schuba discloses 
setting a maximum number of half-open connections per port (FF lb). 

Accordingly, the combination of Yavatkar and Schuba teach and 
suggest configuring a port, specifically, configuring a maximum number of 
half-open (i.e., connectionless datagrams) to a port. 

As such, Appellants have not persuaded us of error in the Examiner's 
conclusion of obviousness for claim 9. Therefore, we affirm the Examiner's 
§ 103 rejection of claim 9 and of claim 12, which falls therewith. 

Claims 10 and 13 
Issue 4: Did the Examiner err in finding that the prior art teaches or 
suggests "configuring a controlling percentage of available queue slots 
remaining for the port," as recited in claim 10? 

The Examiner finds "claim 10 is taught in Yavatkar col. 12, lines 27- 
39," where the agent may alter settings on a port (Ans. 15). 
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Appellants argue "[t]he cited portion of Yavatkar differs from the 
claimed feature because the cited portion does not relate to available queue 
slots for a port, let alone teach or suggest configuring a controlling 
percentage of available queue slots remaining for the port" (App. Br. 32-33) 
(emphasis omitted). We agree with Appellants. 

The cited portion of Yavatkar merely discloses that the settings for the 
port can be altered. However, without more of an explanation from the 
Examiner to correlate the teachings of Yavatkar to the claimed "controlling 
percentage of available queue slots," we do not see how the cited portions of 
column 12 of Yavatkar correspond to a "threshold is based on the 
controlling percentage of available queue slots" as recited in claim 10. 

Thus, we find the Examiner has erred in finding that the prior art 
teaches or suggests "configuring a controlling percentage of available queue 
slots remaining for the port," as recited in claim 10. Accordingly, we 
reverse the Examiner's rejection of claim 10, and claim 13, which stands 
therewith. 

Claim 11 

Issue 5: Did the Examiner properly combine Schuba and Yavatkar 
without changing the principle operation of Schuba? 

Regarding the specific limitations in claim 11, Appellants merely 
argue that Schuba fails to teach the limitations of claim 1, from which claim 
11 depends (App. Br. 34). Thus, Appellants have chosen to let claim 11 fall 
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or stand with claim 1. For at least the reasons noted supra regarding claim 
1, we affirm claim 11. 

Appellants further argue that one of ordinary skill in the art would not 
have been motivated to modify Schuba with Yavatkar, because Schuba 
already possesses the advantage proposed by the Examiner (i.e., to gain 
information needed to diagnose a network attack) (see App. Br. 23) and 
"Yavatkar changes the principle operation of Schuba by teaching the use of 
mobile software modules that move between nodes of a network, while 
Schuba's system relies on a monitoring program that fixedly resides on one 
or more processing units" (App. Br. 26) (emphasis omitted). 

The Examiner finds that "[o]ne of ordinary skill in the art would have 
been motivated to perform such a modification in order to gain information 
needed to diagnose a network attack" and that "there exists a need for a 
system and method allowing for the distributed state of a network[,] such as 
information about attack traffic, to be quickly and accurately collected." 
(Ans. 5; see also Final Rej. 7). We agree. 

The Supreme Court has held that in analyzing the obviousness of 
combining elements, a court need not find specific teachings, but rather may 
consider "the background knowledge possessed by a person having ordinary 
skill in the art" and "the inferences and creative steps that a person of 
ordinary skill in the art would employ." See KSR Int'l Co. v. Teleflex Inc., 
550 U.S. 398, 418 (2007). Furthermore, in analyzing whether it would have 
been obvious to one of ordinary skill in the art to make a modification or 
combination, there does not have to be an express teaching, suggestion, or 
motivation (TSM) in a published article or issued patent. KSR, 550 U.S. at 
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419 ("The obviousness analysis cannot be confined by a formalistic 
conception of the words teaching, suggestion, and motivation, or by 
overemphasis on the importance of published articles and the explicit 
content of issued patents."). 

Here the Examiner has provided an articulated reason, with rational 
underpinnings, {see Ans. 5 and 16) as to why one of ordinary skill in the art 
would combine the teachings of the applied art (e.g., (1) to gain information 
needed to diagnose a network attack and (2) because of the need for a 
system and method allowing for the distributed state of a network, such as 
information about attack traffic, to be quickly and accurately collected). 
Thus, we find that the Examiner has provided sufficient motivation for 
combining Schuba and Yavatkar. 

We have also considered Appellants' arguments that combining 
Yavatkar with Schuba would render Schuba inoperable, and find them 
unpersuasive. 

If a proposed modification would render the prior art invention being 
modified inoperable or unsatisfactory for its intended purpose, then the 
Examiner has failed to make a prima facie case of obviousness. In re 
Gordon, 733 F.2d 900, 902 (Fed. Cir. 1984). However, merely showing 
alternative methods, is not the same as making inoperable or unsatisfactory. 
Here, we find that Schuba and Yavatkar merely disclose alternative methods 
for monitoring traffic on the network. 

For example, Schuba teaches that the monitoring resource 5 1 may be 
a distributed system having multiple units. Similarly, Yavatkar teaches 
monitoring a network using mobile software modules that have the 
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"capability to move from node to node on a network and to execute on the 
nodes to which it moves" (FF 2b.). While combining the methods may 
create some redundancy, Appellants have not shown that it will make 
Schuba's system inoperative. 

As such, Appellants have not persuaded us of error in the Examiner's 
conclusion of obviousness for claim 11. Therefore, we affirm the 
Examiner's § 103 rejection of claim 11. 

DECISION 

The Examiner's rejection of claims 1, 3, 5, and 14 under 35 U.S.C. 
§ 102(e) as being anticipated by Schuba is affirmed. 

The Examiner's rejection of claims 2, 4, 6, 10, and 13 under 35 U.S.C. 
§ 103(a) as being obvious over Schuba and Yavatkar is reversed. 

The Examiner's rejection of claims 9, 11, and 12 under 35 U.S.C. 
§ 103(a) as being obvious over Schuba and Yavatkar is affirmed. 

No time period for taking any subsequent action in connection with 
this appeal may be extended under 37 C.F.R. § 1.136(a)(l)(iv) (2009). 

AFFIRMED-IN-PART 
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